编译支持的多变体融合执行设计与实现

多变体执行是由异构冗余变体并行执行来检测攻击的一种技术。作为一种主动防御技术,多变体执行(multi-variant execution,MVX)通过并行运行的异构执行体之间一致性检查发现攻击行为。相较于补丁式的被动防御,MVX可在不依赖攻击特征信息的情况下防御已知漏洞乃至未知漏洞威胁,在网络安全领域具有广泛的应用前景。然而该技术在实际部署中,由于多变体执行架构的边界不清晰,将随机数、进程PID号等被动地纳入到了表决范围,从而产生误报,导致多变体执行无法兼容更多的软件系统。本文分析了多变体执行假阳问题产生的原因,提出I-MVX,一种编译支持的多变体融合执行架构,包括多变体同步编程框架和运行时同步模块。I-MVX通过添加少量编译指示,在编译阶段对程序内部引起假阳性问题的代码和变量进行插桩标识,在运行时由监视器对变体进程内部和外部的变量及资源进行同步处理,消除多变体执行中的误报。本文基于LLVM/Clang编译器和Linux内核加载模块设计实现了I-MVX的编译器和同步监视器。性能实验评估显示,I-MVX在SPEC 2006基准测试集和tinyhttpd测试程序下引入的平均开销分别为2.13%和13.2%。多变体融合执行架构能够以少量的性能损耗为代价有效解决多变体执行中的假阳问题,提升多变体执行的可用性。基于真实CVE漏洞的安全性测试表明,I-MVX在保证多变体执行安全防御有效性基础上提升了多变体执行的兼容性。     

多变体执行误报问题分析与解决方法综述

从安全角度出发,多变体执行（multi-variant execution,MVX）被广泛应用于网络安全防御,但多变体执行存在一个共性问题：即各路执行体向裁决器返回内容时,合路产生的误报难以解决。排除机器环境等客观因素,产生误报是因为表决器收到合路信息后开始对非一致变量作安全判断,除真实攻击造成的非一致变量外,还夹杂着正常系统运行产生的非一致变量（如内存描述符、端口号、随机数、代码及进程内的线程调用顺序）,从而造成表决器误判,影响多变体系统正常运行。如果能降低多变体执行的误报率,则可以有效地提高系统效率及防御能力。对近年来多变体执行的类型进行归类,并对多变体执行产生的误报问题及解决策略进行归纳总结,分析多变体执行产生裁决误报的原因,选择Pina算法进行同步的策略、编译器模块插桩的策略、缩小表决边界的策略,对三种方案在特定应用场景下进行实验分析,分析每个方法的功能及性能,指出各自策略的优点及缺点。最后讨论现有多变体执行现有技术未解决的难点和未来的研究方向。     

CON-MVX：一种基于容器技术的多变体执行系统

多变体执行是一种网络安全防御技术,其利用软件多样性生成等价异构的执行体,将程序输入分发至多个执行体并行执行,通过监控和比较执行体的状态来达到攻击检测的目的。相较于传统的补丁式被动防御技术,多变体执行不依赖于具体的攻击威胁特征进行分析,而是通过构建系统的内生安全能力来对大多数已知、甚至未知的漏洞做出有效防御。近年来,多变体执行技术在不断改进和完善,但是误报问题是制约其发展的主要因素。本文针对多变体执行产生误报的原因进行了详细分析,并在此基础上提出利用容器技术实现多变体执行系统在解决误报问题上的优势。为提升多变体执行技术的可用性,本文设计并实现了一种基于容器技术的多变体执行系统CON-MVX,有效解决传统多变体执行系统的误报问题。CON-MVX利用多个经过运行时随机化技术构建的异构容器作为执行体,使用可重构的模块化组件和独立的容器管理工具对容器执行体进行编排管理,建立进程间监控器CGMon,在内核层级实现对多个执行体的输入同步和输出裁决。同时,为满足与客户端良好交互性,建立中继端口策略,保证系统运行状态的正常反馈。实验结果表明,CON-MVX在保证安全能力的前提下,能有效降低多变体执行系统的误报率,在双冗余度执行条件下使用SPEC CPU 2006测试集测试时,系统带来的平均额外性能损耗不超过15%。     

面向进程多变体软件系统的攻击面定性建模分析

攻击面是衡量软件系统安全性的一个重要指标,采用攻击面描述可以通过集合的方式描述软件系统的安全性并对其进行度量。一般的攻击面模型基于I/O自动机模型对软件系统进行建模,其一般采用非冗余的架构,难以应用于类似多变体系统这类异构冗余的系统架构。Manadhatad等提出了一种在非相似余度系统中进行攻击面度量的方式,但其采用的系统架构表决粒度和表决方式与多变体系统不同,无法准确度量多变体系统的攻击面。因此,在传统攻击面模型基础上,结合多变体系统异构冗余架构的特点,对传统攻击面模型进行扩展,并构建多变体系统的攻击面模型;使用形式化方式表示多变体系统的攻击面,根据多变体系统在系统出口点处的表决机制对传统攻击面模型进行改进,以使其能解释多变体系统攻击面缩小的现象,通过该建模方式,能够说明采用多变体架构的多变体系统在运行过程中攻击面的变化。采用了两组多变体执行架构的软件系统进行实例分析,分别通过与未采用多变体架构的功能相同的软件系统在未受攻击和遭受攻击两种情境下进行攻击面的对比分析,体现多变体系统在攻击面上的变化。结合攻击面理论与多变体执行系统的特点提出了一种面向多变体执行系统的攻击面建模方法,目前可以定性分析多变体执行系统攻击面的变化,未来将在定量分析多变体执行系统攻击面的方向继续进行深入研究。     

面向多线程程序的内存安全运行时验证

Linux操作系统、嵌入式系统、航电系统、通信系统等一般都是用C/C++语言进行编写。因为C语言具有偏底层硬件、移植性强、执行效率高等优秀特性。但是随着多核并行机的出现，许多语言也开始支持多线程编程。由于C语言本身存在着对内存访问时，不对内存边界进行检查的问题，从而造成软件系统相关的可靠性和安全性问题。对多线程C语言程序来说，由于多线程程序的不确定性，使得运行时验证多线程C程序的内存安全问题变得更加困难。通过使用基于改进的指针运行时验证技术、多核多线程技术、并行计算、无锁数据结构技术、源代码插桩技术方法，并结合开源工具Clang编译器实现原型工具Movec对多线程C程序的支持。该工具实现了对多线程C程序内存安全问题的运行时验证。然后通过Mibench和SARD测试用例进行实验，验证了该工具对多线程C程序进行运行时验证的有效性。     

多线程同步数据处理方法研究

线程处理使C#程序能够执行并发处理,以便可以同时执行多个操作。描述了线程状态,阐述了利用C#进行程序设计时线程同步数据处理的几种方式：使用监视器来同步变量的访问、使用事件来同步线程和使用Mutex同步多个对象并避免锁死,多线程同步数据处理方法能避免多线程数据处理时出现的线程同步错误．     

基于部分调用图的线程敏感Profiling技术

Profiling技术能提供程序实际执行时的相关信息。在动态编译环境中,Profiling的运行时开销导致难以收集较为复杂的运行时信息。该文提出一种基于部分调用图的Profiling技术,在收集多线程程序中线程相关的各种执行信息时,能有效减少运行时开销。在开放源码的虚拟机上实现了该Profiling技术。实验表明,其运行时开销只有原来的2%~4%。     

低功耗多线程编译优化技术

提出了在多线程体系结构中通过降低执行频率有效减小功耗的理论模型和方法.首先研究识别可降频运行的线程的计算模型和降频因子的计算,然后给出在编译过程中基于对应用程序行为的分析,结合线程划分的低功耗编译优化算法和实现策略.该模型和方法可用于具有执行频率可动态调整的多处理器类多线程体系结构,既可开发TLP(thread level parallelism),又可有效减小功率消耗.     

在STA组件中者多线程编程

一、COM的线程模型 Windows是个多线程的操作系统。多线程编程可以带来高性能、实时响应、并发操作等好处,但同时,多线程使得编写正确而健壮的代码变得困难起来。Win32程序员必须在涉及多线程时锁定和同步任何易受不一致性和误用影响的共享资源。COM为了权衡组件的并发性能与多线程编程的同步问题,提出了线程模型(Tbreading model)的概念。在COM中,进程中存     

Prophet推测多线程系统设计与实现

推测多线程技术通过推测执行的方式开发应用程序的线程级并行性,以提高程序执行性能。该技术一般通过执行模型来检测运行时可能的线程推测错误情况,并采取合适的机制恢复程序正确运行。描述的Prophet是一种基于硬件实现的推测多线程执行模型。重点描述了Prophet执行模型针对执行模型设计的关键问题的解决方案,包括Prophet的线程状态控制和多版本的Cach。系统,Prophet的多版本Cache系统提供了推测数据缓存功能,并使用基于总线监听的Cache协议实现了数据依赖违规检测。还给出了使用Olden基准程序对Prophet执行模型进行功能和性能测试的结果,并分析说明了Prophet系统可以有效地开发应用程序的线程级并行性。     

Towards a verified compiler prototype for the synchronous language SIGNAL

SIGNAL belongs to the synchronous languages family which are widely used in the design of safety-critical real-time systems such as avionics, space systems, and nuclear power plants. This paper reports a compiler prototype for SIGNAL. Compared with the existing SIGNAL compiler, we propose a new intermediate representation (named S-CGA, a variant of clocked guarded actions), to integrate more synchronous programs into our compiler prototype in the future. The front-end of the compiler, i.e., the translation from SIGNAL to S-CGA, is presented. As well, the proof of semantics preservation is mechanized in the theorem prover Coq. Moreover, we present the back-end of the compiler, including sequential code generation and multithreaded code generation with time-predictable properties. With the rising importance of multi-core processors in safetycritical embedded systems or cyber-physical systems (CPS), there is a growing need for model-driven generation of multithreaded code and thus mapping on multi-core. We propose a time-predictable multi-core architecture model in architecture analysis and design language (AADL), and map the multi-threaded code to this model.     

并发程序切片原型系统的设计与实现

并发程序切片是并发程序分析的一种重要手段。针对多线程共享变量通信机制,在通过程序分析工具CodeSurfer获取程序基本信息的基础上构造程序可达图,生成以程序状态和语句二元组为节点的并发程序依赖图,实现了基于程序可达图的并发程序切片原型系统。初步实验结果表明,与传统的切片方法相比,采用基于程序可达图的并发程序切片方法,可有效地解决依赖关系不可传递问题,获得高精度的并发程序切片。     

Automatic performance prediction of multithreaded programs: a simulation approach

The performance of multithreaded programs is often difficult to understand and predict. Multiple threads engage in synchronization operations and use hardware simultaneously. This results in a complex non-linear dependency between the configuration of a program and its performance. To better understand this dependency a performance prediction model is used. Such a model predicts the performance of a system for different configurations. Configurations reflect variations in the workload, different program options such as the number of threads, and characteristics of the hardware. Performance models are complex and require a solid understanding of the program’s behavior. As a result, building models of large applications manually is extremely time-consuming and error-prone. In this paper we present an approach for building performance models of multithreaded programs automatically. We employ hierarchical discrete-event models. Different tiers of the model simulate different factors that affect performance of the program, while interaction between the model tiers simulates mutual influence of these factors on performance. Our framework uses a combination of static and dynamic analyses of a single representative run of a system to collect information required for building the performance model. This includes information about the structure of the program, the semantics of interaction between the program’s threads, and resource demands of individual program’s components. In our experiments we demonstrate that models accurately predict the performance of various multithreaded programs, including complex industrial applications.     

Information-flow models for shared memory with an application to the PowerPC architecture

This paper introduces a generic framework for defining instructions, programs, and the semantics of their instantiation by operations in a multiprocessor environment. The framework captures information flow between operations in a multiprocessor program by means of a reads-from mapping from read operations to write operations. Two fundamental relations are defined on the operations: a program order between operations which instantiate the program of some processor and view orders which are specific to each shared memory model. An operation cannot read from the "hidden" pastor from the future; the future and the past causality can be examined either relative to the program order or relative to the view orders. A shared memory model specifies, for a given program, the permissible transformation of resource states. The memory model should reflect the programmer's view by citing the guaranteed behavior of the multiprocessor in the interface visible to the programmer. The model should retrain from dictating the design practices that should be followed by the implementation. Our framework allows an architect to reveal the programming view induced by a shared-memory architecture; it serves programmers exploring the limits of the programming interface and guides architecture-level verification. The framework is applicable for complex, commercial architectures as it can capture subtle programming-interface details, exposing the underlying aggressive microarchitecture mechanisms. As an illustration, we define the shared memory model supported by the PowerPC architecture, within our framework.     

Data race avoidance and replay scheme for developing and debugging parallel programs on distributed shared memory systems

Distributed shared memory (DSM) allows parallel programs to run on distributed computers by simulating a global virtual shared memory, but data racing bugs may easily occur when the threads of a multi-threaded process concurrently access the physically distributed memory. Earlier tools to help programmers locate data racing bugs in non-DSM parallel programs are not easily applied to DSM systems. This study presents the data race avoidance and replay scheme (DRARS) to assist debugging parallel programs on DSM or multi-core systems. DRARS is a novel tool which controls the consistency protocol of the target program, automatically preventing a large class of data racing bugs when the parallel program is subsequently run, obviating much of the need for manual debugging. For data racing bugs that cannot be avoided automatically, DRARS performs a deterministic replay-type function on DSM systems, faithfully reproducing the behavior of the parallel program during run time. Because one class of data racing bugs has already been eliminated, the remaining manual debugging task is greatly simplified. Unlike previous debugging methods, DRARS does not require that the parallel program be written in a specific style or programming language. Moreover, DRARS can be implemented in most consistency protocols. In this paper, DRARS is realized and verified in real experiments using the eager release consistency protocol on a DSM system with various applications.     

Counterexample-guided abstraction refinement for symmetric concurrent programs

Predicate abstraction and counterexample-guided abstraction refinement (CEGAR) have enabled finite-state model checking of software written in mainstream programming languages. This combination of techniques has been successful in analysing system-level sequential C code. In contrast, there is little evidence of fruitful applications of CEGAR to shared-variable concurrent software. We attribute this gap to the lack of abstraction strategies that permit a scalable analysis of the resulting multi-threaded Boolean programs. The goal of this paper is to close this gap. We have developed a symmetry-aware CEGAR technique: it takes into account the replicated structure of programs that consist of many threads executing the same procedure, and generates a Boolean program template whose multi-threaded execution soundly overapproximates the original concurrent program. State explosion during model checking parallel instantiations of this template can now be absorbed by exploiting symmetry. We have implemented our method in a tool, SymmPa, and demonstrate its superior performance over alternative approaches on a range of synchronisation programs.     

基于操作的多层次主机入侵检测模型与方法

提出了一个多层次的基于用户操作的入侵检测模型，并实现了其原型系统，在此模型中，检测系统从4个层次监测用户在被保护计算机系统上进行的操作，监测结果经过信息融合得到最终的入侵判断，该模型能够更容易地发现用户的异常行为，同时有效降低误报。结合原型实现还讨论了在各层次进行了侵检测的方法。